Pegasus

In August 2016, Apple pushed an emergency iOS update to patch zero-day vulnerabilities, dubbed Trident. The zero-days include CVE-2016-4655, a memory corruption vulnerability, CVE-2016-4656, a kernel base mapping vulnerability, and CVE-2016-4657, a kernel memory corruption vulnerability that leads to jailbreaking the device. Israeli software company, NSO Group, sold the vulnerabilities and the spyware used to exploit them, called “Pegasus.” Pegasus is an advanced malware that uses code obfuscation, encryption, and bypasses application-layer security in many popular voice and audio calls and apps, such as email, Facebook, WhatsApp, Facetime, and Telegram. The malware can steal the victim’s contact list, GPS location, and any personal WiFi and router passwords stored on the iOS device. The NSO Group sold the spyware to governments and third parties that then used Pegasus to remotely spy on high-value targets, such as human rights activists and journalists. The iOS spyware was first revealed by a human rights activist in the United Arab Emirates when he contacted Citizen Lab after noticing a strange text message sent to his iPhone from an unrecognized number. The specially crafted text message contained a suspicious link. The activist did not click the link, and instead forwarded the text message to Citizen Lab. Citizen Lab researchers analyzed the link and determined it was part of a network of exploit infrastructure domains used by the NSO Group.

Reporting

August 2016: A Hacking Group is Selling iPhone Spyware to Governments. (Wired)

March 2017: Google and Lookout researchers published a report on the activities of a new Android malware family, Chrysaor, believed to be the counterpart to the Pegasus iOS spyware. (Google)

Technical Details

Lookout provides a technical analysis of the Pegasus malware, available here.

Reference in this site to any specific commercial product, process, or service, or the use of any trade, firm or corporation name is for the information and convenience of the public, and does not constitute endorsement, recommendation, or favoring by the NJCCIC and the State of New Jersey.